Exploiting Administrator Insecurities - adsecurity.org · •RunAs on workstation and run standard...

Exploiting Active Directory Administrator Insecurities

Sean Metcalf (@Pyrotek3)

s e a n @ adsecurity . orgwww.ADSecurity.org

• Founder Trimarc (Trimarc.io), a professional services company that helps organizations better secure their Microsoft platform, including the Microsoft Cloud.

• Microsoft Certified Master (MCM) Directory Services

• Speaker: Black Hat, Blue Hat, BSides, DEF CON, DerbyCon, Shakacon, Sp4rkCon

• Security Consultant / Researcher

• Active Directory Enthusiast - Own & Operate ADSecurity.org(Microsoft platform security info)

Sean Metcalf | @PyroTek3 | sean@adsecurity.org

AGENDA

•Evolution of Admin Discovery

•Exploiting Typical Administration

•Multi-Factor Authentication (MFA)

•Password Vaults

•Admin Forest

•Attacking RODCs

The Evolution of Admin Discovery

Discovering AD Admins

Enumerate the membership of “Domain Admins”

Only looking at Domain Admin Membership?

What are we missing?

•Domain Admins group membership: 6

•Administrators group membership: 20

Domain Admins is a member of Administrators

DA gets full AD admin rights & full DC admin rights from the Administrators group

What if we see this?

Discover all accounts with AdminCount = 1

Note: This only shows potential AD admins in this domain

What if our tool isn’t multi-domain or multi-forest capable?

Discovering Hidden Admin & AD Rights

• Review settings in GPOs linked to Domain Controllers

• The “Default Domain Controllers Policy” GPO (GPO GUID 6AC1786C-016F-11D2-945F-00C04FB984F9) typically has old settings.

Discovering Hidden Admin & AD Rights

• Review settings in GPOs linked to Domain Controllers

• The “Default Domain Controllers Policy” GPO (GPO GUID 6AC1786C-016F-11D2-945F-00C04FB984F9) typically has old settings.

• User Rights Assignments in these GPOs are hidden gold.

• These are rarely checked…

Allow Log On LocallyDefault Groups:

• Account Operators

• Administrators

• Backup Operators

• Print Operators

• Server Operators

Additional Groups:

• Lab Admins

• Server Tier 3

• Domain Users

Allow Log On LocallyDefault Groups:

• Account Operators

• Administrators

• Backup Operators

• Print Operators

• Server Operators

Additional Groups:

• Lab Admins

• Server Tier 3

•Domain Users

What If We Can Gain Remote “Local” Access?

https://airbus-seclab.github.io/ilo/SSTIC2018-Article-subverting_your_server_through_its_bmc_the_hpe_ilo4_case-gazet_perigaud_czarny.pdf

HP released patches for CVE-2017-12542 in August last year, in iLO 4 firmware version 2.54.

The vulnerability affects all HP iLO 4 servers running firmware version 2.53 and before. Other iLO generations, like iLO 5, iLO 3, and more are not affected.

https://www.bleepingcomputer.com/news/security/you-can-bypass-authentication-on-hpe-ilo4-servers-with-29-a-characters/

HP ILO Vulnerability CVE-2017-12542

Allow Log On Locally + RDP Logon = DC Fun!

Allow Log On Locally

• Account Operators• Administrators• Backup Operators• Print Operators• Server Operators• Lab Admins• Domain Users• Server Tier 3

Allow Log On Through Terminal Services

• Administrators• Server Tier 3

Allow Log On Locally

• Account Operators• Administrators• Backup Operators• Print Operators• Server Operators• Lab Admins• Domain Users• Server Tier 3

Allow Log On Through Terminal Services

• Administrators• Server Tier 3

Manage Auditing & Security LogDefault Groups:

• Administrators

• [Exchange]

Additional Groups:

• Lab Admins

Enable Computer & User Accounts to be Trusted for Delegation

•Administrators

• Lab Admins

• Server Tier 3

* The user or machine object that is granted this right must have write access to the account control flags.

Identifying Admin Restrictions

The Evolution of Administration

Where We Were• In the beginning, there were admins everywhere.

• Sometimes, user accounts were Domain Admins.

• Every local Administrator account has the same name & password.

• Some environments had almost as many Domain Admins as users.

Where We WereThis resulted in a target rich environment with multiple paths to exploit.

Traditional methods of administration are trivial to attack and compromise due to admin credentials being available on the workstation.

Where We Were: “Old School Admin Methods”

• Logon to workstation as an admin • Credentials in LSASS.

•RunAs on workstation and run standard Microsoft MMC admin tools ("Active Directory Users & Computers“) • Credentials in LSASS.

•RDP to Domain Controllers or Admin Servers to manage them• Credentials in LSASS on remote server.

Where We Were: “Old School Admin Methods”

Where Are We Now: Newer “Secure" Admin Methods

Exploiting Typical Administration

What About MFA?Let’s MFA that RDP

Multi-Factor Authentication

Fun with MFA

Subverting MFAWhat if an attacker could bypass MFA without anyone noticing?

Subverting MFAACME has enabled users to update several attributes through a self-service portal.

• These attributes include:• Work phone number

• Work address

• Mobile number

• Org-specific attributes

• Work address

• Mobile number

• Work address

• Mobile number

Subverting MFA

Subverting MFA through SMS

Summary

• Company uses self-service to enable users to update basic user information attributes.

• Attacker compromises user account/workstation and performs self-service update of Mobile/Cell Phone Number to one the attacker controls.

• Attacker compromises admin user name & password

• Attacker leverages “backdoor” SMS/text message for MFA to use admin credentials.

• Game over.

Subverting MFA

https://www.n00py.io/2018/08/bypassing-duo-two-factor-authentication-fail-open/

Subverting MFA

MFA Onboarding

Customer MFA Recommendations• Yes, use MFA!• Don’t rely on MFA as the primary method to protect admin

accounts.• Use hardware tokens or App & disable SMS (when possible).• Ensure all MFA users know to report anomalies. • Research “Fail Closed” configuration on critical systems like

password vaults and admin servers.• Remember that once an attacker has AD Admin credentials,

MFA doesn’t really stop them.• Better secure the MFA on-boarding/updating process.• Identify potential bypass methods & implement

mitigation/detection.Sean Metcalf | @PyroTek3 | sean@adsecurity.org

From AD Adminaccount name & PW → DCSync

There’s Something About Password Vaults

Enterprise Password Vault

•Being deployed more broadly to improve administrative security.

• Typically CyberArk or Thycotic SecretServer.

• “Reconciliation” DA account to bring accounts back into compliance/control.

•Password vault maintains AD admin accounts.

•Additional components to augment security like a “Session Manager”.

Password Vault Option #1: Check Out Credential

Workstation

Password Vault

AdminServer

•Connect to Password Vault & Check Out Password (Copy).

Workstation

HTTPS Password Vault

AdminServer

Workstation

HTTPS Password VaultPassword

AdminServer

Workstation

HTTPS Password VaultPassword

AdminServer

•Paste Password into RDP Logon Window

Workstation

HTTPS Password Vault

AdminServer

Password

Attacking Enterprise Password Vault

Password Vault Option #2: RDP Proxy

•Password vault as the "jump" system to perform administration with no knowledge of account password.

Workstation Password Vault

AdminServer

Workstation

HTTPSPassword

AdminServer

Workstation

HTTPSPassword

VaultRDP

AdminServer

Workstation

HTTPSPassword

VaultRDP

What account is used to log on

AdminServer

Workstation

HTTPSPassword

VaultRDP

AdminServer

Workstation

HTTPSPassword

VaultRDP

Is MFA used?

AdminServer

Workstation

HTTPSPassword

VaultRDP

Is MFA used?

Who administers this server?

AdminServer

Workstation

HTTPSPassword

VaultRDP

Is MFA used?

Who administers this server?

Are network comms limited to the PV

AdminServer

Compromise the User’s Web Browser

Exploit Password Vault Administration

Password Vaults on the Internet

Password Vault Config Weaknesses

• Authentication to the PV webserver is typically performed with the admin’s user account.

• Connection to the PV webserver doesn’t always require MFA.

• The PV servers are often administered like any other server.

• Anyone on the network can send traffic to the PV server (usually).

• Sessions aren’t always limited creating an opportunity for an attacker to create a new session.

• Combining the PV web server & password management system increases risk.

• Vulnerability in PV can result in total Active Directory compromise.Sean Metcalf | @PyroTek3 | sean@adsecurity.org

CyberArk RCE Vulnerability (April 2018)• CVE-2018-9843:

“The REST API in CyberArk Password Vault Web Access before 9.9.5 and 10.x before 10.1 allows remote attackers to execute arbitrary code via a serialized .NET object in an Authorization HTTP header.”

• Access to this API requires an authentication token in the HTTP authorization header which can be generated by calling the “Logon” API method.

• Token is a base64 encoded serialized .NET object ("CyberArk.Services.Web.SessionIdentifiers“) and consists of 4 string user session attributes.

• The integrity of the serialized data is not protected, so it’s possible to send arbitrary .NET objects to the API in the authorization header.

• By leveraging certain gadgets, such as the ones provided by ysoserial.net, attackers may execute arbitrary code in the context of the web application.

https://www.redteam-pentesting.de/en/advisories/rt-sa-2017-014/-cyberark-password-vault-web-access-remote-code-execution

CyberArk RCE Vulnerability

https://www.redteam-pentesting.de/en/advisories/rt-sa-2017-014/-cyberark-password-vault-web-access-remote-code-execution

What about Admin Forest?(aka Red Forest)

Admin Forest = Enhanced Security Administrative Environment (ESAE)

Admin Forest Discovery Forest Discovery

Exploiting Domain Controller Agents

• Backup01 is a backup server with AD Backup rights.• BackupAD is the AD backup service account.

Compromise one to gain Domain Controller access.

Did You Know?

• The Splunk Universal Forwarder is often installed on Domain Controller.

• The Splunk UF is effectively a mini version of Splunk and can run scripts.

https://conf.splunk.com/files/2016/slides/universal-forwarder-security-dont-input-more-than-data-into-your-splunk-environment.pdf

Exploiting Prod AD with an AD Admin Forest• AD admin accounts are moved to the admin forest, but not

everything.• Doesn’t fix production AD issues.• Doesn’t resolve expansive rights over workstations & servers.• Deployments often ignore the primary production AD since all

administrators of the AD forest are moved into the Admin Forest.• They often don't fix all the issues in the production AD.• They often ignore production AD service accounts.• Agents on Domain Controllers are a target – who has admin

access?• Identify systems that connect to DCs with privileged credentials on

DCs (backup accounts).

Cross-Forest Administration

Forest A

Forest B

Forest A

Forest B

Forest A

Forest B

Forest A Domain Admin Account

Forest A

Forest B

Forest A

Forest B

Forest A

Forest B

Result: Full Compromise of the Production Active Directory

• Production (Forest A) <--one-way--trust---- External (Forest B)

• Production forest AD admins manage the External forest.

• External forest administration is done via RDP.

• Production forest admin creds end up on systems in the External forest.

• Attacker compromises External to compromise Production AD.

Mitigation:

• Manage External forest with External admin accounts.

• Use non-privileged Production forest accounts with External admin rights.

Attacking Read-Only Domain Controllers (RODCs)“But it’s ‘read-only’!”

Discovering RODCs

Typical RODC Deployment Issues

•RODCs cache more passwords than actually required.

• RODCs are typically administered by a “RODC admins” group which is not typically well protected.

•DSRM passwords may be set the same on DCs and RODCs.

Typical RODC Deployment Issues• RODCs cache more passwords than actually required, providing a

potential escalation path -compromise the RODC to compromise additional accounts. In this scenario, the RODC acts as kind of a Junior DC since it contains a subset of domain account passwords.

• RODCs are typically administered by a “RODC admins” group which is not typically well protected. Often the RODC admin group contains server administrators and potentially regular user accounts. The accounts in the RODC admin group(s) are often allowed to be cached on the RODC to enable administration if a DC cannot be contacted to authenticate them.

• DSRM passwords may be set the same on DCs and RODCs.If the organization has configured the Directory Services Restore Mode (DSRM) password to change (and they should), they may not have configured a different process for RODCs, potentially setting the same DSRM password on RODCs and DCs.

RODC Attributes

• msDS-Reveal-OnDemandGroupContains the distinguished name (DN) of the Allowed List. Members of the Allowed List are permitted to replicate to the RODC.

• msDS-NeverRevealGroupPoints to the distinguished names of security principals that are denied replication to the RODC.

RODC Attributes

• msDS-RevealedListList of security principals whose passwords have ever been replicated to the RODC.

• msDS-AuthenticatedToAccountListThis attribute contains a list of security principals in the local domain that have authenticated to the RODC.

RODC Password Replication Policy

• Password Replication Policy controls what password data is replicated to RODCs.

• Allowed RODC Password Replication Group: Added to the msDS-Reveal-OnDemandGroup.

• Denied RODC Password Replication Group: Added to the msDS-NeverRevealGroup.

• Domain password data not placed on RODCs by default.

RODC Administrator Role Separation (ARS)

•RODC administration can be delegated.

•RODC administrator is not a Domain Admin.

• Full administrator on the RODC.

•Can modify SYSVOL, but RODC SYSVOL changes are not replicated.

•RODC administrators should be in the “Allowed RODC Password Replication Group”.

RODC Administration Configuration

RODC Attributes

Discovering RODC Admins

Account Password Caching on RODCs

Enumerating RODC msds-RevealUsers• B:96:A000090002000000673C531003000000B2D8290BE48E5C40A6ACCB

A445CBC36B7D3B0000000000007D3B000000000000:CN=Han Solo,OU=Accounts,DC=lab12,DC=adsecurity,DC=org

• B:96:7D00090001000000673C531003000000B2D8290BE48E5C40A6ACCBA445CBC36B7E3B0000000000007E3B000000000000:CN=Han Solo,OU=Accounts,DC=lab12,DC=adsecurity,DC=org

• B:96:5E00090002000000673C531003000000B2D8290BE48E5C40A6ACCBA445CBC36B7D3B0000000000007D3B000000000000:CN=Han Solo,OU=Accounts,DC=lab12,DC=adsecurity,DC=org

• B:96:5A00090002000000673C531003000000B2D8290BE48E5C40A6ACCBA445CBC36B7D3B0000000000007D3B000000000000:CN=Han Solo,OU=Accounts,DC=lab12,DC=adsecurity,DC=org

• B:96:3700090002000000673C531003000000B2D8290BE48E5C40A6ACCBA445CBC36B7D3B0000000000007D3B000000000000:CN=Han Solo,OU=Accounts,DC=lab12,DC=adsecurity,DC=org

RODC msds-RevealUsers

Cached Service Account Password

We gained “Server Admin” through a user accountWhat else can we get?

From RODC to Silver Ticket

Since the Admin Server Computer Password Was on the RODC, We Now Own that ServerWhat else can we get?

From RODC to DC using DSRM

Sean Metcalf (@Pyrotek3)s e a n @ adsecurity . org

www.ADSecurity.orgTrimarcSecurity.com

Slides: Presentations.ADSecurity.org

• Ensure you are discovering all AD admins by recursively enumerating the domain Administrators group.

• Corelate the user to admin account and the workstation the admin uses.

• Determine if MFA is used, if so try to identify onboarding process & look for dependencies.

• Check for enterprise password vaults.

• RODCs are rarely deployed in a secure manner.

Recommendations

Exploiting Administrator Insecurities - adsecurity.org · •RunAs on workstation and run standard...

Documents

Exploiting Administrator Insecurities - DEF CON CON 26/DEF CON 26... · Exploiting Active Directory Administrator Insecurities Sean Metcalf (@Pyrotek3) s e a n @ adsecurity . org

Hacking Client Side Insecurities

Dealing with insecurities

Climate Insecurities in Indonesia: Implications and

“G REENING ” C OMPUTERS “G REENING ” C OMPUTERS A CADEMIC AND I NFORMATION T ECHNOLOGY C OUNCIL Anand Sankey Energy, Facilities Management Harold Glasser

T he P rofessional m anufacture c omputers. Qui sommes-nous?

How to Let Go of Insecurities

Converging Insecurities

Global Insecurities and Nationalism in Advanced ...icc.fla.sophia.ac.jp/other_pages_pdfs/TSATSANIS_0909.pdfGlobal Insecurities and Nationalism in Advanced Industrialized Societies,

Condent DrummerCondent Drummer 10 Ways to Overcome your Insecurities 10 Ways to Overcome your Insecurities 10 ways to overcome your insecurities, also known as 10 ways to boost your

Identities and Insecurities

Social Protection for Informal Workers Insecurities, Instr… · Social Protection for Informal Workers: Insecurities, Instruments and Institutional Mechanisms By Jeemol Unni and

CthulhuTech -9- Racial Insecurities [Fetch]

C omputers

Insecurities of a frontender

Insecurities At School

Gaweł Mikołajczyk. IPv6 insecurities at First Hop

Tracking the Birth Pains Famines & Food Insecurities 2015

Aditya - Hacking Client Side Insecurities - ClubHack2008

Insecurities and Inaccuracies of the Sequoia AVC …appel/papers/advantage-insecurities... · Insecurities and Inaccuracies of the ... WinEDS software to tally votes inaccurately